Encrypted BTRFS Root with EFI

So there are many reasons why you may want to encrypt your root partition and you must have one if you are looking here.

There are a million different ways you could set up your partition scheme. I’m just going to show you one way here. I’m going to assume you have a decent amount of experience with Linux because encryption and Arch Linux are not for n00bs.

First, boot the Arch Linux Live CD off a UEFI Flash Drive.

Preliminary:

Update repos:

# pacman -Syy

OPTIONAL AMAZING STEP – Configure your system from a remote terminal:

# pacman -S openssh

# systemctl start sshd

Preparing your Drive:

If installing to an SSD, make sure to Secure Erase your drive; if installing to an HDD, make sure to write random data to your drive before proceeding.

SSD:

# dd if=/dev/zero of=/dev/sda

Create GPT Partitions:

# gdisk /dev/sda

NOTE: with gdisk /dev/sda, pressing “?” the question mark at anytime will bring up all of the possible options and what buttons do what

If asks about existing MBR or GPTs like this:

Found invalid MBR and corrupt GPT. What do you want to do? (Using the

GPT MAY permit recovery of GPT data.)

1 – Use current GPT

2 – Create blank GPT

Then press 2 to create a blank GPT and start fresh

ZAP:

press x – to go to extended menu

press z – to zap

press Y – to confirm

press Y – to delete MBR

It might now kick us out of gdisk, so get back into it

# gdisk /dev/sda

This time you will not get ask about existing MBR or GPT as we cleared them.

NOTE: when asked where each partition should start “Start Sector” just hit enter, let it autoalign them next to each other

————–

CREATE 1st PARTITION FOR BOOT:

If you didnt get kicked out gdisk, press “m” to get back to main main menu from the extended menu

press n – to create new partition

First Sector – just leave defaults so hit enter

Last Sector – just put “256M” without quotes and hit enter, this makes a 256M partition

Confirm you have 2 partitions with about the same settings as this (if your swap or data are different sizes that’s cool)

After creating the 2nd partition it should of brought you to main menu, at the main menu press “p” to see the current pending partition table (its not written to disk just yet)

OUTPUT SHOULD LOOK LIKE THIS:

Command (? for help): p

Disk /dev/sda: 500118192 sectors, 238.5 GiB

Logical sector size: 512 bytes

Disk identifier (GUID): 8E8C0F70-22D8-4FE6-A5AB-E20A0483C2F5

Partition table holds up to 128 entries

First usable sector is 34, last usable sector is 500118158

Partitions will be aligned on 2048-sector boundaries

Total free space is 6108 sectors (3.0 MiB)

Number Start (sector) End (sector) Size Code Name

1 2048 614400 256.0 MiB EF00 EFI System

3 616448 500118158 230.5 GiB 8300 Linux filesystem

SAVE

Save everything after confirmation

Press w to write to disk

Press Y to confirm

REREAD THE PARTITION TABLE (this is semi-optional just so that ‘cat /proc/partitions’ shows the correct output for us)

# hdparm -z /dev/sda

# cat /proc/partitions

Now you should have your 2 partitions sda1, sda2
————–

Make the FAT 32 system for EFI boot:

# mkfs.vfat -F32 /dev/sda1

————–

Setting up the Encrypted Filesystem:

Next I am going to show how to make an encrypted volume. Set a passphrase that is super secure. I recommend using a short password with a yubikey static password. You can get a yubikey here.

Code:

cryptsetup -y -s 512 -c aes-xts-plain64 luksFormat /dev/sda2

Now that you have an encrypted volume you must open this volume and give it a device mapper name.

Code:

cryptsetup luksOpen /dev/sda2 encrypted

Now we will format /dev/mapper/encrypted to btrfs:

# mkfs.btrfs /dev/mapper/encrypted

————–

Subvolume Configuration:

We will now make our ROOT subvolume, this will be a folder called ROOT located at the root of /dev/mapper/encrypted. The way we will design this is that when the system boots we will not see /ROOT, we will be inside ROOT. Inside ROOT you will have all of your etc, sys, proc, etc.

# mount /dev/mapper/encrypted /mnt

# cd /mnt

# btrfs subvolume create /mnt/ROOT

This should show you your ROOT

# btrfs subvolume list -a /mnt

Something like this: ID 256 gen 5 top level 5 path ROOT

# cd /

# umount /dev/mapper/encrypted

Now we will mount the ROOT subvolume as /mnt and we will dump the arch system into there with pacman. We will also enable compress to utilize btrfs compress feature.

# mount -o defaults,compress,subvol=ROOT /dev/mapper/encrypted /mnt

NOTE: the command “mount” will not show which subvolume is mounted, to see how subvolumes are mounted you need to look inside proc (cat /proc/self/mountinfo):

Pacman will dump stuff into a boot folder, so we better mount our sda1 EFI boot partition to it. Or else all of the boot stuff will go to sda3 instead of sda1:

# cd /mnt

# mkdir /mnt/boot

# mount /dev/sda1 /mnt/boot

Pacstrap the Arch Linux base:

# pacstrap -i /mnt base base-devel

Note it might ask confirmation steps requiring either to press “enter” to accept all selections or Y and enter. Just select whichever option downloads everything.

# genfstab -U -p /mnt >> /mnt/etc/fstab

————–

By default fstab for vfat thats generated by genfstab picks a value that makes the filesystem check too often for vfat, in fact we need to change it to never doing a filesystem check because vfat (or else it will complain later, so in there we change the value from 2 to 0, meaning never doing filesystem check)

Finally make sure in that fstab file you see: “defaults,compress,subvol=ROOT” on /mnt.

Lets chroot into the /mnt folder:

# arch-chroot /mnt

From this point you would go about the Arch install the same way you would using the wiki found here. With a few modifications that I will show. It is import that we tell the kernel where the root partition is and what parititon must be unlocked.